With the government trying to keep up with security concerns generated by its digitisation push, Appknox has been called in by NPCI to protect UPI-based apps from hacking into your bank accounts.Chhavi Tyagi | ET Online | March 17, 2017, 09:23 IST

As digitisation picks up steam with Indians expected to transact Rs 4 crore digitally every day this year, privacy of their data has become a paramount concern. The government is caught between encouraging digitisation and ensuring secure platforms. This is where startups like Appknox come in.

Specialising in mobile apps security, Appknox recently identified 291 critical vulnerabilities (181 were accorded the status of high ctitical vulnerabilities) in United Payments Interface (UPI) based mobile applications developed by banks and other fintech companies. These vulnerabilities had the potential of exposing a user's entire bank details to the eyes of any hacker.

"There were issues where we could bypass the entire security gamut and get access to user's bank account details and even download those details easily. We found hackers can easily manipulate these loopholes to misuse the data," says Appnox cofounder and CEO, Harshit Agarwal.

The team at Appknox, driven by Agarwal and cofounders Subho Halder and Prateek Panda was hired by NPCI in July 2016 and has been scanning UPI-based apps since November. These apps, developed and launched by banks and other fintech companies, have already seen heavy downloads and have lakhs of users transacting online.

The team found 181 high, 83 medium and 27 low critical vulnerabilities in the 35 plus apps evaluated by it. The National Payments Corporation of India (NPCI) then advised the banks to quickly work on the suggestions provided by Appknox in order to negate these threats.

Among other threats, the team was particularly concerned about basic security steps which the hackers at Appknox were easily able to contravene. The login password step was easily bypassed by the team in a number of UPI-based apps which could lead any hacker directly into a user's account and access that user's information.

Majority of apps depend on OTP (One Time Password) system to provide an extra layer of security to its users. The team shares it was able to easily brute force its way to login into a user's account.

Given these apps were developed by banks which are considered the safest mode financial platforms, the team was surprised at the ease with which it was able to hack into the apps.

"These banks have internal audits and we expected their apps to be pretty secure. Banks are the most important sector in fintech sector and have to be pretty ahead of the curve of security. Thus, we were surprised at how easily we could find loopholes in these apps. Whatever these banks are doing is not enough for mobile app security," said Agarwal.

While banks are still the most secure way of transferring money digitally when it comes to platforms like NEFT however, mobile apps, shares Agarwal, are a different ball game altogether.

"Mobiles can be hacked in very different ways and the internal team at these banking institutions is not that great with mobile apps. The whole security landscape is very different when it comes to mobiles," says Agarwal.

A worrying statement indeed when the financial transactions are increasingly moving from websites to mobile apps with the proliferation of e-wallets and other payments systems.

Several mobile apps have sprung in the last couple of years providing users with ease of transacting online however, to prevent this ease from metamorphosing into a security disaster, the government is working keenly on regulations.

"The government is getting very strict when it comes to security. The central government recently made empanelment mandatory for any mobile app in bank payment gateway. Regulators have been proactive in ensuring that companies follow certain standards," shares Agarwal.

NPCI, shares Agarwal, was quick to get banks to plug the loopholes found by the team at Appnox.

Talking about their experience with Appknox NPCI, Head of Risk Management, Bharat Panchal, said in a statement, "Appknox has been a crucial partner with us to ensure utmost security of our UPI-based application. We have had good early detection of vulnerabilities with the help of very energetic and brilliant security professionals. "

The threat however, is persistent and transformative and both the government and the fintech institutions would need all the help they can find to keep hackers from digging into sensitive user information and thereby, to drive its digitisation push further.

"It's a never-ending race where hackers look for more loopholes and banking companies innovate to keep ahead. The problem is that banks and other fintech institutions rely on a single vendor for all their security concerns. What they do not realise is that there could be many brains working to break the system and relying on a single brain for security is really dangerous," says Agarwal.

Appknox specialises in providing security to mobile apps and currently services 100 plus companies in the fintech sector.